You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

i'm freaking out. so earlier tonight i tried blocking a connection with advanced windows firewall. it turns out advanced firewall gave me a 0x6d9 error and couldn't do anything, so i tried to fix it by updating my firewall settings with the "use recommended settings" button. it gave me a 0x80070424 error.

wondering what was going on, i googled it...good thing i did, too. apparently these errors are evidence of a rootkit.

following the advice of one of the pages i found on the matter, i downloaded and ran rkill. among other things, rkill detected a "zeroaccess rootkit". then panic set in...

luckily my motherboard's company had a free 60 day trial of norton internet security which i hadn't gotten around to activating yet. before this, i had been using webroot SecureAnywhere, which apparently is worthless. i've had it for about a month and as it turns out, for that month i've been using the internet to manage my bank account, make online purchases, use passwords, all that great stuff that makes me a gold mine for cyber-thieves. well that's just fantastic, my whole life and that of my family is out in the open for the entire internet criminal world to play with. thanks webroot!

anyway, i activated the trial and immediately norton popped that little notification on the bottom right, something to the tune of "backdoor.graybird". yes, it removed it...but then (and since then), it started picking up and deleting that zeroaccess rootkit that rkill found, over and over again...specifically, Trojan.Zeroaccess.C. i updated and ran a full system scan:

(forgive me for not putting it in a scrollable box, not sure how to do that)

additionally, an action required box came up. it solved everything but i'm worried about the nature of some of these things:

Resolved Threats:

Suspicious.Cloud.9

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Heuristic Virus

Status: Restart Required

-----------

1 Registry Entry

1 File

1 Browser Cache

WS.Trojan.H

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Heuristic Virus

Status: Restart Required

-----------

1 File

1 Process

1 Service

1 Browser Cache

WS.Trojan.H

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Heuristic Virus

Status: Restart Required

-----------

2 Registry Entries

1 File

1 Browser Cache

Suspicious.Cloud.2

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Heuristic Virus

Status: Restart Required

-----------

2 Files

1 Process

1 Service

1 Browser Cache

Suspicious.Cloud.2

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Heuristic Virus

Status: Fully Resolved

Unresolved Threats:

No unresolved risks

so there were trojans and there is a constantly regenerating rootkit in my system. after some light research i found out that rootkits are generally meant to get malicious programs through the scans clean, or at least that's what i gathered. seeing that it's regenerating, i think it's been masking the malicious program that's regenerating it, and who knows what else it could be hiding...

so what do i do? do i have to kill my debit cards and get new ones? do i have to change all my passwords? i'm not sure exactly how far the damage has gone and it's frightening to think about it, considering how long this crap has been operating under the radar on my machine.

and now norton is blocking intrusion attempts. i mean yeah it's good that it's blocking them but again, this means that before i put norton up tonight, these things have been happening without a hitch...

anyway, norton requires a restart. i'll update this as necessary and try to follow all instructions to the letter.

UPDATE: after a reboot, it seems the notifications completely stopped and norton is in the green. i'd still like to make double-sure that there is absolutely nothing fishy in my system as a result of the rootkit.

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.